[pmg-devel] [PATCH pmg-api/pmg-gui v3 0/3] add default realm option and OIDC configuration panel

[pmg-devel] [PATCH pmg-api/pmg-gui v3 0/3] add default realm option and OIDC configuration panel

[Markus Frank]

v3:
* Patch 1/3 and 2/3 are new and allow the user to set the default realm.
* see more v3 changes in Patch 3/3

pmg-api:

Markus Frank (1):
  Auth Plugin: stop forcing the default realm to be the pmg realm

 src/PMG/Auth/Plugin.pm | 2 --
 1 file changed, 2 deletions(-)


pmg-gui:

Markus Frank (2):
  realms: allow PAM and PMG realms to be edited and set as the default
  add OIDC configuration panel for PMG

 js/AuthEditOIDC.js   | 244 +++++++++++++++++++++++++++++++++++++++++++
 js/Makefile          |   1 +
 js/UserManagement.js |   1 +
 js/Utils.js          |  17 +--
 4 files changed, 257 insertions(+), 6 deletions(-)
 create mode 100644 js/AuthEditOIDC.js

-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-api v3 1/3] Auth Plugin: stop forcing the default realm to be the pmg realm

[Markus Frank]

This allows a different realm to be set as the default.

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
new to v3

 src/PMG/Auth/Plugin.pm | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/PMG/Auth/Plugin.pm b/src/PMG/Auth/Plugin.pm
index 9268a49..5969911 100755
--- a/src/PMG/Auth/Plugin.pm
+++ b/src/PMG/Auth/Plugin.pm
@@ -144,8 +144,6 @@ sub parse_config {
     $cfg->{ids}->{pmg}->{type} = 'pmg'; # force type
     $cfg->{ids}->{pmg}->{comment} = "Proxmox Mail Gateway authentication server"
 	if !$cfg->{ids}->{pmg}->{comment};
-    $cfg->{ids}->{pmg}->{default} = 1
-	if !$cfg->{ids}->{pmg}->{default};
 
     $cfg->{ids}->{pam}->{type} = 'pam'; # force type
     $cfg->{ids}->{pam}->{comment} = "Linux PAM standard authentication"
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-gui v3 2/3] realms: allow PAM and PMG realms to be edited and set as the default

[Markus Frank]

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
new to v3

 js/UserManagement.js |  1 +
 js/Utils.js          | 16 ++++++++++------
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/js/UserManagement.js b/js/UserManagement.js
index f6ada1b..79d1e3f 100644
--- a/js/UserManagement.js
+++ b/js/UserManagement.js
@@ -40,6 +40,7 @@ Ext.define('PMG.UserManagement', {
 	    itemId: 'realms',
 	    baseUrl: '/access/auth-realm',
 	    storeBaseUrl: '/access/auth-realm',
+	    showDefaultRealm: true,
 	    iconCls: 'fa fa-address-book-o',
 	},
     ],
diff --git a/js/Utils.js b/js/Utils.js
index d4a55a8..aa17d83 100644
--- a/js/Utils.js
+++ b/js/Utils.js
@@ -877,12 +877,16 @@ Ext.define('PMG.Utils', {
 	Proxmox.Schema.authDomains.ldap.add = false;
 	Proxmox.Schema.authDomains.ad.add = false;
 
-	Proxmox.Schema.authDomains.pam.edit = false;
-	Proxmox.Schema.authDomains.pmg = {
-	    add: false,
-	    edit: false,
-	    sync: false,
-	};
+	Proxmox.Schema.overrideAuthDomains({
+	    pmg: {
+		name: 'Proxmox Mail Gateway authentication server',
+		ipanel: 'pmxAuthSimplePanel',
+		add: false,
+		edit: true,
+		pwchange: true,
+		sync: false,
+	    },
+	});
 
 	// do whatever you want here
 	Proxmox.Utils.override_task_descriptions({
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-gui v3 3/3] add OIDC configuration panel for PMG

[Markus Frank]

AuthEditOIDC.js is based on AuthEditOpenId from widget-toolkit and
adds additional configuration options for autocreate-role-assignment.

Use sub/preferred_username for username-claim instead of the old names
(subject/username/email) because subject and username do not exist in
the current OpenID Connect specifications [0] and the email option is
incompatible with the username scheme.

[0] https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

Signed-off-by: Markus Frank <m.frank@proxmox.com>
---
v3:
* removed hideRoleAssignment and used !autocreate instead
* use delete_if_default to delete autocreate-role-assignment
* added gettext to text inside combo boxes
* removed showDefaultRealm and never hide 'Default realm' field

v2:
* renamed subject to sub
* renamed username to preferred_username
* removed email entirely

 js/AuthEditOIDC.js | 244 +++++++++++++++++++++++++++++++++++++++++++++
 js/Makefile        |   1 +
 js/Utils.js        |   1 +
 3 files changed, 246 insertions(+)
 create mode 100644 js/AuthEditOIDC.js

diff --git a/js/AuthEditOIDC.js b/js/AuthEditOIDC.js
new file mode 100644
index 0000000..ad6683f
--- /dev/null
+++ b/js/AuthEditOIDC.js
@@ -0,0 +1,244 @@
+Ext.define('PMG.OIDCInputPanel', {
+    extend: 'Proxmox.panel.InputPanel',
+    xtype: 'pmgAuthOIDCPanel',
+    mixins: ['Proxmox.Mixin.CBind'],
+
+    type: 'oidc',
+
+    viewModel: {
+	data: {
+	    roleSource: '__default__',
+	    autocreate: 0,
+	},
+	formulas: {
+	    hideFixedRoleAssignment: function(get) {
+		return get('roleSource') !== 'fixed' || !get('autocreate');
+	    },
+	    hideClaimRoleAssignment: function(get) {
+		return get('roleSource') !== 'from-claim' || !get('autocreate');
+	    },
+	},
+    },
+
+    onGetValues: function(values) {
+	let me = this;
+
+	if (me.isCreate && !me.useTypeInUrl) {
+	    values.type = me.type;
+	}
+
+	let autocreateRoleAssignment = {};
+	if (values.source) {
+	    autocreateRoleAssignment.source = values.source;
+	}
+	if (values.source === 'fixed') {
+	    autocreateRoleAssignment['fixed-role'] = values['fixed-role'];
+	} else if (values.source === 'from-claim') {
+	    autocreateRoleAssignment['role-claim'] = values['role-claim'];
+	}
+	values['autocreate-role-assignment'] = Proxmox.Utils.printPropertyString(autocreateRoleAssignment);
+	Proxmox.Utils.delete_if_default(values, 'autocreate-role-assignment', '', me.isCreate);
+
+	delete values.source;
+	delete values['fixed-role'];
+	delete values['role-claim'];
+
+	return values;
+    },
+
+    setValues: function(values) {
+	let autocreateRoleAssignment =
+	    Proxmox.Utils.parsePropertyString(values['autocreate-role-assignment']);
+
+	values.source = autocreateRoleAssignment.source ?? '__default__';
+
+	if (autocreateRoleAssignment.source === 'fixed') {
+	    values['fixed-role'] = autocreateRoleAssignment['fixed-role'];
+	}
+	if (autocreateRoleAssignment.source === 'from-claim') {
+	    values['role-claim'] = autocreateRoleAssignment['role-claim'];
+	}
+
+	this.callParent(arguments);
+    },
+
+
+    columnT: [
+	{
+	    xtype: 'textfield',
+	    name: 'issuer-url',
+	    fieldLabel: gettext('Issuer URL'),
+	    allowBlank: false,
+	},
+    ],
+
+    column1: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'realm',
+	    cbind: {
+		value: '{realm}',
+		editable: '{isCreate}',
+	    },
+	    fieldLabel: gettext('Realm'),
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Default realm'),
+	    name: 'default',
+	    value: 0,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    autoEl: {
+		tag: 'div',
+		'data-qtip': gettext('Set realm as default for login'),
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('Client ID'),
+	    name: 'client-id',
+	    allowBlank: false,
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    fieldLabel: gettext('Client Key'),
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	    name: 'client-key',
+	},
+    ],
+
+    column2: [
+	{
+	    xtype: 'pmxDisplayEditField',
+	    name: 'username-claim',
+	    fieldLabel: gettext('Username Claim'),
+	    editConfig: {
+		xtype: 'proxmoxKVComboBox',
+		editable: true,
+		comboItems: [
+		    ['__default__', Proxmox.Utils.defaultText],
+		    ['sub', gettext('sub (subject)')],
+		    ['preferred_username', gettext('preferred_username')],
+		],
+	    },
+	    cbind: {
+		value: get => get('isCreate') ? '__default__' : Proxmox.Utils.defaultText,
+		deleteEmpty: '{!isCreate}',
+		editable: '{isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'scopes',
+	    fieldLabel: gettext('Scopes'),
+	    emptyText: `${Proxmox.Utils.defaultText} (email profile)`,
+	    submitEmpty: false,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxKVComboBox',
+	    name: 'prompt',
+	    fieldLabel: gettext('Prompt'),
+	    editable: true,
+	    emptyText: gettext('Auth-Provider Default'),
+	    comboItems: [
+		['__default__', gettext('Auth-Provider Default')],
+		['none', 'none'],
+		['login', 'login'],
+		['consent', 'consent'],
+		['select_account', 'select_account'],
+	    ],
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+    ],
+
+    columnB: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'comment',
+	    fieldLabel: gettext('Comment'),
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'displayfield',
+	    value: gettext('Autocreate Options'),
+	},
+	{
+	    xtype: 'proxmoxcheckbox',
+	    fieldLabel: gettext('Autocreate Users'),
+	    name: 'autocreate',
+	    bind: {
+		value: '{autocreate}',
+	    },
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxKVComboBox',
+	    name: 'source',
+	    fieldLabel: gettext('Source for Role Assignment'),
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    comboItems: [
+		[
+		    '__default__',
+		    Proxmox.Utils.defaultText
+			+ ' (' + gettext('All auto-created users get audit role') + ')',
+		],
+		['fixed', gettext('Fixed role for all auto-created users')],
+		['from-claim', gettext('Get role from OIDC claim')],
+	    ],
+	    bind: {
+		value: '{roleSource}',
+		disabled: '{!autocreate}',
+		hidden: '{!autocreate}',
+	    },
+	},
+	{
+	    xtype: 'pmgRoleSelector',
+	    name: 'fixed-role',
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    fieldLabel: gettext('Fixed Role'),
+	    bind: {
+		disabled: '{hideFixedRoleAssignment}',
+		hidden: '{hideFixedRoleAssignment}',
+	    },
+	},
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'role-claim',
+	    allowBlank: false,
+	    deleteEmpty: false,
+	    fieldLabel: gettext('Role Claim'),
+	    bind: {
+		disabled: '{hideClaimRoleAssignment}',
+		hidden: '{hideClaimRoleAssignment}',
+	    },
+	},
+    ],
+
+    advancedColumnB: [
+	{
+	    xtype: 'proxmoxtextfield',
+	    name: 'acr-values',
+	    fieldLabel: gettext('ACR Values'),
+	    submitEmpty: false,
+	    cbind: {
+		deleteEmpty: '{!isCreate}',
+	    },
+	},
+    ],
+});
diff --git a/js/Makefile b/js/Makefile
index d1fab9b..c984bf3 100644
--- a/js/Makefile
+++ b/js/Makefile
@@ -78,6 +78,7 @@ JSSRC=							\
 	LDAPConfig.js					\
 	UserEdit.js					\
 	UserView.js					\
+	AuthEditOIDC.js					\
 	TFAView.js					\
 	FetchmailEdit.js				\
 	FetchmailView.js				\
diff --git a/js/Utils.js b/js/Utils.js
index aa17d83..d563483 100644
--- a/js/Utils.js
+++ b/js/Utils.js
@@ -871,6 +871,7 @@ Ext.define('PMG.Utils', {
 	// use oidc instead of openid
 	Proxmox.Schema.authDomains.oidc = Proxmox.Schema.authDomains.openid;
 	Proxmox.Schema.authDomains.oidc.useTypeInUrl = false;
+	Proxmox.Schema.authDomains.oidc.ipanel = 'pmgAuthOIDCPanel';
 	delete Proxmox.Schema.authDomains.openid;
 
 	// Disable LDAP/AD as a realm until LDAP/AD login is implemented
-- 
2.39.5



_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel